docs: Update Runtime-Watcher Architecture Documentation#720
Merged
medmes merged 5 commits intoMay 8, 2026
Merged
Conversation
Reflect changes introduced by epic kyma-project/lifecycle-manager#2998 (Robust Zero-Downtime CA Cert Rotation) and the listener v2 cleanup: - Remove SAN Pinning section: san_pinning.go was deleted and VerifyFunc was removed from the listener API - Listener: replace RegisterListenerComponent/channel-return pattern with the current NewSKREventListener / ReceivedEvents() API; describe XFCC-based runtime ID extraction from the client certificate CN; update example link to internal/controller/kyma/setup.go - Runtime Watcher: update WatchEvents link to listener/pkg/v2/types/event.go; clarify that a WatchEvent carries a resource reference (name/namespace + GVK) rather than the full object body - Watcher CR: fix stale commit-SHA link to the watcher controller - Certificates: document the two-secret model (klm-watcher / klm-istio-gateway), CA bundle management, caAddedToBundleAt annotation, Istio Gateway Secret controller, Gardener cert-management backend, and the six-step zero-downtime CA rotation flow with a link to ADR 007 Closes kyma-project#685
1 task
medmes
force-pushed
the
docs/update-runtime-watcher-architecture
branch
from
c12486c to
24aca87
Compare
- Replace all occurrences of "listener package" with "listener module" (or "runtime-watcher/listener") to avoid ambiguity with Go's package concept (per review comment by Tomasz-Smelcerz-SAP) - Drop "operator" framing for the listener: it defines an HTTP endpoint, not a K8s operator (per review comment by Tomasz-Smelcerz-SAP)
Tomasz-Smelcerz-SAP
approved these changes
May 8, 2026
nataliasitko
reviewed
May 8, 2026
Co-authored-by: Natalia Sitko <80401180+nataliasitko@users.noreply.github.com>
nataliasitko
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings
docs/architecture.mdup to date with all changes introduced by epic kyma-project/lifecycle-manager#2998 (Robust Zero-Downtime CA Cert Rotation) and the listener v2 cleanup (issues #548 and #549).san_pinning.gowas deleted from lifecycle-manager andVerifyFuncwas removed from the listener API; the section was no longer accurate.RegisterListenerComponent/channel-return pattern with the currentNewSKREventListener/ReceivedEvents()API; describe XFCC-based runtime ID extraction from the client certificate Common Name; update the example link tointernal/controller/kyma/setup.go.WatchEventstype link tolistener/pkg/v2/types/event.go; clarify that aWatchEventcarries a resource reference (name + namespace + GVK), not the full object body.klm-watcher/klm-istio-gateway), CA bundle management,caAddedToBundleAtannotation, the new Istio Gateway Secret controller, Gardener cert-management as an alternative backend, and the six-step zero-downtime CA rotation flow; add a link to ADR 007 for the full design rationale.Related issue
#685